Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Security Expert Evades Apple’s Mobile Security Measures via iOS Vulnerability

Apple security guru Charlie Miller said he has uncovered a bug in Apple iOS that allows an attacker to circumvent Apple’s code signing approach.

According to Miller, who is principal research consultant with Accuvant Labs and a veteran of the Apple bug-finding world, the vulnerability could spell trouble for iOS users if exploited.

Apple security guru Charlie Miller said he has uncovered a bug in Apple iOS that allows an attacker to circumvent Apple’s code signing approach.

According to Miller, who is principal research consultant with Accuvant Labs and a veteran of the Apple bug-finding world, the vulnerability could spell trouble for iOS users if exploited.

Charlie Miller Uncovers new iOS VulnerabilityCode signing has been a key element of Apple’s security strategy for iOS. Code signing is used to validate executables and libraries and to determine whether or not code has been modified by someone besides the signer. In a presentation at the upcoming SyScan 11 conference in Taiwan however, Miller intends to demonstrate how a bug can help attackers get around all this.

Except at execution time, code signing is continually enforced, with one important exception from iOS 4.3 on – the Nitro JIT compiler is allowed to add dynamic, unsigned code to a process while running.

“The exception allows them to do Just-in-time compiling which will speed up the performance of any JavaScript engine,” he told SecurityWeek. “The drawback is it allows for unsigned code to run in this one case. They work very hard to restrict it to only in the browser and only one time, but they made one small mistake.”

To demonstrate the vulnerability on YouTube, he used a proof-of-concept app called Instastock, which successfully made its way into the App store. It has since been removed.

“We can trust all the apps in the App Store because they have all been reviewed by Apple engineers,” he said. “But, this flaw shows that apps which have been reviewed can use this flaw to download new unsigned, unreviewed code and run it. It basically means we can’t trust the app store until it’s fixed. People could place ‘safe’ programs into the App Store that then download malicious code like malware.”

According to Miller, the bug is hard to find, but trivial to exploit.

“It is in the XNU kernel so source code is available, but is deceptive,” he said. “I found it by reverse engineering the kernel. I probably wouldn’t have found it looking at the source code. It’s an interesting bug. Exploitation is easy. It’s a logic bug, you just have to send in the right data to circumvent the checks they have to stop you from executing unsigned code. No buffer overflow, no heap manipulation, etc.”

Advertisement. Scroll to continue reading.

After announcing this afternoon that Apple had pulled his app from the AppStore, Miller disclosed via Twitter on Monday evening that Apple had kicked him out of the iOS Developer Program.

Miller’s presentation is scheduled for Nov. 18.

 

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.